OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

441

442

443

444

445

446

447

448

449

450

OSF DCE Administration Guide—Core Components

In the path, the B_product cell has a transitive trust path up to its ancestor, B_Company,

and from B_Company to A_Company. But from A_company, the transitive trust path

cannot continue up to A_Company’s ancestor, although it can continue down to

A_Company’s descendants. Because this transitive trust relationship has traversed up to

a trust ancestor (B_Company) and across to a trust peer (A_Company), it cannot then

continue by going up to A_Company’s ancestor (A_Conglomerate). This type of

relationship might be used by two companies that have decided to combine operations at

a very high level.

Note that a principal accessing a foreign cell through transitive trust relationships is not

authenticated by each cell transited in the trust path, but only by the target cell itself.

The authentication Service in a transited cell simply gives the principal a ticket to the

next cell in the path, stamping the ticket with the hierarchical name of the transited cell,

until the principal acquires a ticket to the target cell.

To determine whether or not to give a principal a ticket to the next cell in a transitive

trust path, the authentication service in each transited cell examines the ticket and

compares the last cell transited to the next cell in the path and applies the rules of

transitive trust described in this section. If the next cell to be transited is consistent with

a valid transitive trust path, then the authentication service gives the principal a ticket to

the next cell; otherwise, the authentication service refuses to issue a ticket.

33.2 Creating Trust Relationships

To create peer-to-peer relationships, follow these steps:

1. Run the registry connect command to create cross-cell authentication accounts

(an account in your cell’s registry and another account in the foreign cell’s

registry).

2. Optionally, use the account modify command to ﬁne tune the attributes of the

account, which were assigned by default when the account was created. For

example, the account’s expiration date (expdate attribute) defaults to none.You

may want to enter a date to ensure that the account will be actively renewed after a

period of time.

3. Ensure that the system administrator in the foreign cell changes the acctvalid ﬂag

of the account that represents your cell to yes in order to indicate that the account

is valid. If one or both accounts are invalid, no cross-cell communications can

take place.

33.2.1 Command Options for the registry connect Command

When you use the registry connect command, you must supply the fully qualiﬁed name

of the foreign cell with which you will establish a peer-to-peer relationship. This name

is stripped of the full pathname, preﬁxed with krbtgt, and used as the primary name of

the account’s principal. For example, if you enter a cell name of /.../dresden.com, the

33 − 8 Tandem Computers Incorporated 124243